feat: Add signing key param for jwt signing (#270)

googleapis · May 18, 2020 · c05b228 · c05b228
1 parent 397aff5
commit c05b228
Show file tree

Hide file tree

Showing 2 changed files with 79 additions and 4 deletions.
diff --git a/src/OAuth2.php b/src/OAuth2.php
@@ -175,6 +175,13 @@ class OAuth2 implements FetchAuthTokenInterface
      */
     private $signingKey;
 
+    /**
+     * The signing key id when using assertion profile. Param kid in jwt header
+     *
+     * @var string
+     */
+    private $signingKeyId;
+
     /**
      * The signing algorithm when using an assertion profile.
      *
@@ -294,6 +301,9 @@ class OAuth2 implements FetchAuthTokenInterface
      * - signingKey
      *   Signing key when using assertion profile
      *
+     * - signingKeyId
+     *   Signing key id when using assertion profile
+     *
      * - refreshToken
      *   The refresh token associated with the access token
      *   to be refreshed.
@@ -327,6 +337,7 @@ public function __construct(array $config)
             'sub' => null,
             'audience' => null,
             'signingKey' => null,
+            'signingKeyId' => null,
             'signingAlgorithm' => null,
             'scope' => null,
             'additionalClaims' => [],
@@ -345,6 +356,7 @@ public function __construct(array $config)
         $this->setExpiry($opts['expiry']);
         $this->setAudience($opts['audience']);
         $this->setSigningKey($opts['signingKey']);
+        $this->setSigningKeyId($opts['signingKeyId']);
         $this->setSigningAlgorithm($opts['signingAlgorithm']);
         $this->setScope($opts['scope']);
         $this->setExtensionParams($opts['extensionParams']);
@@ -436,7 +448,8 @@ public function toJwt(array $config = [])
         return $this->jwtEncode(
             $assertion,
             $this->getSigningKey(),
-            $this->getSigningAlgorithm()
+            $this->getSigningAlgorithm(),
+            $this->getSigningKeyId()
         );
     }
 
@@ -1042,6 +1055,26 @@ public function setSigningKey($signingKey)
         $this->signingKey = $signingKey;
     }
 
+    /**
+     * Gets the signing key id when using an assertion profile.
+     *
+     * @return string
+     */
+    public function getSigningKeyId()
+    {
+        return $this->signingKeyId;
+    }
+
+    /**
+     * Sets the signing key id when using an assertion profile.
+     *
+     * @param string $signingKeyId
+     */
+    public function setSigningKeyId($signingKeyId)
+    {
+        $this->signingKeyId = $signingKeyId;
+    }
+
     /**
      * Gets the signing algorithm when using an assertion profile.
      *
@@ -1324,17 +1357,18 @@ private function jwtDecode($idToken, $publicKey, $allowedAlgs)
         return \JWT::decode($idToken, $publicKey, $allowedAlgs);
     }
 
-    private function jwtEncode($assertion, $signingKey, $signingAlgorithm)
+    private function jwtEncode($assertion, $signingKey, $signingAlgorithm, $signingKeyId = null)
     {
         if (class_exists('Firebase\JWT\JWT')) {
             return \Firebase\JWT\JWT::encode(
                 $assertion,
                 $signingKey,
-                $signingAlgorithm
+                $signingAlgorithm,
+                $signingKeyId
             );
         }
 
-        return \JWT::encode($assertion, $signingKey, $signingAlgorithm);
+        return \JWT::encode($assertion, $signingKey, $signingAlgorithm, $signingKeyId);
     }
 
     /**

diff --git a/tests/OAuth2Test.php b/tests/OAuth2Test.php
@@ -430,6 +430,47 @@ public function testFailsWithMissingSigningAlgorithm()
         $o->toJwt();
     }
 
+    public function testCanHS256EncodeAValidPayloadWithSigningKeyId()
+    {
+        $testConfig = $this->signingMinimal;
+        $keys = array(
+            'example_key_id1' => 'example_key1',
+            'example_key_id2' => 'example_key2'
+        );
+        $testConfig['signingKey'] = $keys['example_key_id2'];
+        $testConfig['signingKeyId'] = 'example_key_id2';
+        $o = new OAuth2($testConfig);
+        $payload = $o->toJwt();
+        $roundTrip = $this->jwtDecode($payload, $keys, array('HS256'));
+        $this->assertEquals($roundTrip->iss, $testConfig['issuer']);
+        $this->assertEquals($roundTrip->aud, $testConfig['audience']);
+        $this->assertEquals($roundTrip->scope, $testConfig['scope']);
+    }
+
+    public function testFailDecodeWithoutSigningKeyId()
+    {
+        $testConfig = $this->signingMinimal;
+        $keys = array(
+            'example_key_id1' => 'example_key1',
+            'example_key_id2' => 'example_key2'
+        );
+        $testConfig['signingKey'] = $keys['example_key_id2'];
+        $o = new OAuth2($testConfig);
+        $payload = $o->toJwt();
+
+        try {
+            $this->jwtDecode($payload, $keys, array('HS256'));
+        } catch (\Exception $e) {
+            if (($e instanceof \DomainException || $e instanceof \UnexpectedValueException) &&
+                $e->getMessage() === '"kid" empty, unable to lookup correct key') {
+                // Workaround: In old JWT versions throws DomainException
+                return;
+            }
+            throw $e;
+        }
+        $this->fail("Expected exception about problem with decode");
+    }
+
     public function testCanHS256EncodeAValidPayload()
     {
         $testConfig = $this->signingMinimal;